Adding create:user_tickets scope for React app

msing · August 8, 2023, 1:08pm

I am trying to create a password change ticket using the Auth0 Management API from a React application. I tried to set the “create:user_tickets” scope but when I receive my token back that scope is missing. All other scopes I have set work (openid email profile read:current_user update:current_user_metadata) and my other calls to management API for user profile information work as well. I have the audience set to the management API in the Authorization params in Auth0 Provider.

Is this a limitation with a single page application?
Using the @auth0/auth0-react package.

dan.woda · August 14, 2023, 1:28pm

Hi @msing,

Welcome to the Auth0 Community!

Yes, there is a limitation for public clients when requesting tokens for the Management API. This includes create:user_tickets scopes. For example, if a user was to inspect the React app and grab the token with this scope, they could change any user’s password.

This type of request should be made from a secure backend or API.

system · August 29, 2023, 1:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.